Starlette vulnerability exposes millions of AI agents to hackers

A critical security flaw in one of the most widely used Python web frameworks has left millions of AI agents, machine learning tools, and production services vulnerable to unauthenticated attackers. The vulnerability, tracked as CVE-2026-48710 and nicknamed “BadHost,” affects Starlette, an open source framework that receives 325 million downloads per week.

That’s not a typo. 325 million. Per week. And because Starlette serves as the foundation for FastAPI and a sprawling ecosystem of Python async projects, the blast radius extends far beyond a single library.

What BadHost actually does

Starlette reconstructs a request’s URL by taking the HTTP Host header, which an attacker can freely manipulate, and concatenating it with the request path before re-parsing the result. The framework never validates that Host header first.

By injecting certain characters like /, ?, or # into the Host header, an attacker can alter where path boundaries fall in the reconstructed URL. This lets them slip past any middleware that relies on path-based authentication checks. No credentials needed. No sophisticated exploit chain. Just a crafted HTTP header.